One of the more interesting security best practices is about to get turned on its head, thanks to some cutting-edge research at a small Israeli think tank and elsewhere. The notion is called an "air gap network" and the idea is to isolate a PC from the big bad Internet and any other communications networks so as to have complete security with the information that resides therein.

Air gaps have been around for many years, and have found their way into military and intensely secure installations as you might imagine. But they aren't foolproof. Perhaps the biggest known exploit of an air gap network occurred several years ago, when the Stuxnet virus was specifically designed to get inside the Iranian nuclear facility at Natanz. The virus contained specialized code to take over the nuclear centrifuges that were running in the plant and deliberately overspin them and damage the gear. It was accomplished by infecting an Internet-attached PC with malware that was looking for USB thumb drives attached to the infected PCs. Even though the centrifuges were controlled by isolated PCs, the plant's workers would download files to USB drives from Internet-connected computers and then carry them into the plant's protected area. Obviously, someone went to great lengths to create Stuxnet – which only worked under these limited circumstances and only could cause harm to a particular Siemens centrifuge controller – but still it is an example of how even the best planned air gaps can have their weaknesses. (Related infographic: How Stuxnet worked)

How to isolate your network

Disable any removable USB ports and other media slots such as CD drives (some IT managers use superglue and others use endpoint protection software) so that no external media can be attached to your computer to infect or exfiltrate any data.

Install special TEMPEST-style radio frequency protection, to trap any errant RF monitoring from your most sensitive computers.

Don't connect your PC to the Internet. Enough said on that.

Keep cellphones away from your PCs. They have so many communications pathways that it can be almost impossible to keep anything securely from them.

Think about using Virtual Desktop Infrastructure if you are going to be running a lot of apps across the Internet. This isolates the desktop session to inside your data center, where at least you can apply some solid security to these remote users.

That article cites research at Ben Gurion University. The same team that worked on the printer exploit also published another paper highlighting a second mechanism. In this attack, researchers disassembled one of the Android media player files that interacted with the smart phone's FM radio to figure out how to move information to the phone over those frequencies. They tricked the app into thinking that the headphone cable was connected (many phones use this as an antenna to capture FM radio signals) and to activate the phone's radio receiver. The phone was able to "listen" to the radio signals that came from an ordinary VGA video cable attached to a PC and a monitor and decode the information typed on the PC.

This latter research builds on earlier work done in Germany with the propagation of audio signals across another air gap network in their test lab.

Clearly, having just "air" as a gap can no longer protect your computer from potential attacks, whether they be transmitted by light or sound. Now granted, all three of these research projects describe pretty unique situations, and perhaps unlikely if not difficult to construct out in the real world. Nevertheless, having a nearby cell phone listen in on radio signals isn't all that far-fetched: I have been to several supposedly secure installations where I was asked to check my cell phone outside the actual data center. This could be still close enough for my phone to monitor a PC inside the room.

Still, air gaps have their utility and there are several vendors who have developed more secure networking and browsing technologies using them. Let's look at the network first. Earlier this year, I reviewed Unisys' Stealth product.

The idea is to encrypt each packet across the network with four different layers of security, using specialized technology and packet drivers that are installed on each protected PC. All this has the effect of hiding the packets from any prying network sniffers or packet capture devices, yet still allowing them to be transmitted across ordinary Internet routers and switches. Stealth uses a hardware appliance on your network, and it can be pricey, starting at $30,000.

Unisys' Stealth makes use of an XML-based configuration schema that is somewhat hard to parse and debug.

If that isn't appropriate or too costly, you might be better off using a better web browser. Earlier this year, I looked at several of these technologies.

The idea is to prevent malware from being transmitted from an infected website (which you may not necessarily know has been compromised) by having an air gap between the PC that is doing the browsing and the PC that is actually being used by you sitting on your desk. There are several products available.

One is used by Authentic8 Silo's browser. Silo connects across the Internet to a Linux machine in Seattle, according to our tests. The information is then transferred to your own PC securely, so supposedly any malware or other executable files aren't going to find their way to your own PC. They also keep your business and personal data separate from the actual browsing session.

Here is an example of additional control options for teams using this browser:

David Strom

Another solution is from Spikes and actually called Air Gap. It runs a virtualized session on another machine across the Internet, in this case a Linux-based VM in California, according to our tests. The VM renders the content and converts it to pixels that are compressed and streamed to your desktop, so in effect any malware or other bad stuff is rendered useless since there is nothing to actually execute on your own machine. Every user session has its own virtualized session and even every browser tab has its own session and is isolated from the other tabs.

Both Spikes and Authentic8 don't cost an arm and a leg: you can get site licenses for less than $100 per user per year.

The moral of the air gap story: you need to be really, really careful about making sure to "mind the gap". Just because a computer isn't obviously connected to any communications network doesn't necessarily mean anything. Take a closer look at this research and see if you could be vulnerable.

This story, "How to bridge and secure air gap networks" was originally published by
ITworld.